A peek inside the uBot malware bot

by

Share this news now.

Participants in the dynamic cybercrime underground ecosystem are constantly working on new cybercrime-friendly releases in the form of malware bots, Remote Access Tools (RATs) and malware loaders.

Continuing the “A peek inside…” series, in this post I will profile yet another DIY (do-it-yourself) malware bot, available at the disposal of cybercriminals at selected cybercrime-friendly online communities.

Description of the malware bot:

“µBOT, originally named “WEBNET”, is a stable HTTP bot created for the use of herding and is perfect for collecting hundereds, and thousands of bots at an affordable price. The simple to use interface and reliable bot allows you to control your botnet with confidence, knowing your bots are safe and stable is what botnet masters need most, and this is what we provide to you with µBOT.The “µ” within in our name represents simplicity and small size, which is directly in relation with our bot itself, with a tiny size of 9kb compressed with the control from the easy-to-use control panel.”

uBot’s malware bot features include:

INSTANT Infection, no waiting.
- Download & Execute.
- Update.
- Visit Webpage [Visible].
- Visit Webpage [Invisible].
- Uninstall.
- Add to Startup.
- Critical Process.
- Hidden File.
- Admin detection.
- Mutex.
- Coded in VB6, no .NET Framework dependency!
- Small, ~10kb compressed, 36kb uncompressed.
- Great stability.

Panel:
- Detailed statistics.
- Location plot, map graph.
- Pie Charts [Bot Status, Operating System, Admin].
- Tool-tip for last commands sent for each client.
- Bot selection preferences.
- Integrated Ajax, means everything is realtime! From client list to bot count.

Screenshots of the uBot malware bot:

The AJAX- based bot is coded in VB6, meaning there are no .NET Framework dependencies. Next to the small size – ~10kb compressed, 36kb uncompressed — the malware bot offers an easy to use web-based command and control interface, positioning it as the perfect tool in the arsenal of the malicious attacker.

Webroot’s Security Team is currently in the process of analyzing the malware bot, to ensure that Webroot SecureAnywhere customers are protected for its variants.

Related posts:

A peek inside the PickPocket Botnet

A peek inside the Cythosia v2 DDoS Bot

A peek inside the Umbra malware loader

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
A peek inside the uBot malware bot by

Trackbacks

  1. [...] series. Continue going through related analysis of malware bots/loaders profiled in 2012, such as, uBot, Umbra malware loader, the PickPocket Botnet, the Smoke Malware Loader, the Elite Malware Loader, [...]